What you need to know about OAuth 2.0 for incoming mail in Atlassian products

Both Microsoft and Google announced that they will be deprecating Basic Authentication from use on their respective mail servers, Exchange and Gmail.

Microsoft Exchange will disable Basic Authentication for newly created tenants by default and begin to disable Basic Authentication in tenants that have no recorded usage in October 2020. For current tenants still actively using Basic Authentication, Microsoft has decided to postpone end-of-support until the second half of 2021 in response to the impact of COVID-19. It is important to note that this is only affecting Microsoft Exchange Cloud. It will not affect Microsoft Exchange Server (on-premises). You can reference Microsoft’s official communications on the matter here, in their February update, and in their latest April update.

Gmail’s end-of-support was planned to happen in two phases, with the first occurring in June 2020, however they have since decided to suspend these deadlines until further notice per their update in March 2020. They want to minimize potential disruptions for their customers unable to complete migrations in this timeframe as customers focus on supporting a remote workforce.

In order to give you as much time as is needed to adequately plan for potential migrations, we will soon be adding OAuth 2.0 authentication methods for incoming email (so far using the IMAP and POP3 protocols) for Jira Software, Jira Service Desk, and Confluence. We will also be backporting the fixes to respective supported Enterprise releases. While we do not typically backport new functionality into our Enterprise releases, this integration is deemed essential given the material impact it may have on our products.

We will update this post with the respective fix versions and Enterprise releases once those are confirmed. We treat this work with highest priority and aim to provide the solution ahead of the deadlines set by Microsoft and Google so that you have time to upgrade. 

Should more information come on new deadlines set in place by Microsoft or Google, we will update the post accordingly. Their decisions to suspend certain deadlines will not impact our work to support OAuth 2.0 in impacted products.

OAuth 2.0 support will require you to make changes to the incoming mail settings and the way you configure the incoming email server. It's a good idea to plan to take the time after your upgrade to review the changes so that your instance's email handlers keep working. See below for a full run down of products that will have a material impact once Microsoft and Google’s respective end-of-support dates arrive. Please note that Bitbucket, Bamboo, FeCru and Crowd are not affected by this change.

Jira Software: If you’ve configured incoming mail servers for Jira using Microsoft or Google as mail service providers, you will need to configure the OAuth2.0 authentication method to allow users to create issues and comments via email. Here’s how:

1. Upgrade to Jira Software (when OAuth 2.0 support is added, version TBA) or the latest bug fix version of the supported Enterprise releases (7.13 or 8.5).

2. Configure the OAuth 2.0 authentication method (this step requires System admin rights).

3. Reconfigure your mail servers to use OAuth 2.0 (this step remains available to Jira admins).

After these steps, users can create issues and comments via email.

Jira Service Desk:  If you’ve configured email channels for your projects using Microsoft or Google as mail service providers, you will need to configure the OAuth 2.0 authentication method to allow customers create requests via email. Here’s how:

1. Upgrade to Jira Service Desk (when OAuth 2.0 support is added, version TBA) or the latest bug fix version of the supported Enterprise releases (3.16 or 4.5).

2. Configure the OAuth 2.0 authentication method (this step requires System admin rights).

3. Reconfigure your email channels to use OAuth 2.0 (this step remains available to Jira admins). Email channels are set up separately for each project.

4. If you’ve also configured incoming mail servers for your Jira Core projects, you’ll need to reconfigure them, too.

Confluence: In Confluence, OAuth 2.0 support will require you to make changes to plugins that were previously disabled by default and support functionality like reply to comment via email. When we add OAuth 2.0 support to Confluence (TBA), these plugins will be automatically enabled and allow end users to create a space or page, or comment on a page, directly from their email. If you’ve previously enabled these plugins, you may need to review these changes before you upgrade.